Android

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. Malicious programs can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs obtaining passwords, logon details and what was once thought to be secured information.

Meltdown and Spectre work on personal computers, mobile devices, and in the Cloud – AWS, Azure, and other 3rd party Cloud / IaaS Providers.

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an un-patched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Google announced a Developers Preview of “Android Things” — an Android-based operating system platform for smart devices and Internet of Things (IoT) products headed our way. Best of all, its designed to make it easier for developers to build a smart appliance since they will be able to work with Android APIs and Google Services they’re already familiar with.

Once installed it then roots the phone to to gain system level access. The rooted devices then download and install software that steals the authentication tokens that allow the phones to access the owner’s Google-related accounts without having to enter a password. The tokens work for a variety of Google properties, including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite

“The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.

Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.

After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:

Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server.”

Android users who have downloaded apps from third-party markets can visit the Check Point blog post for a list of the apps known to contain Gooligan.

Also Check Point has released what is being called the Gooligan Checker web page to be used to check if you have been compromised by this latest threat.

TunnelBear has just launched a Chrome extension that helps to protect your privacy on a Chromebook, Android, iPhone, iPad, PC & Mac

TunnelBear is a Canadian company famous for making super easy to use privacy tools. They specialize in VPN services that allow your phone and computers to be secure when using public WiFi hotspots. Their service also allows you to “tunnel” into another country to get around content blocking by governments or media companies.

Today TunnelBear is launching a public beta version of their new Chrome extension. When installed, it will protect everything you do in Chrome by running it through an encrypted web proxy.

For Chromebook users, almost everything you do should be encrypted, making it a great tool to have. For Windows, Mac, or Linux users, please note that only your Chrome connection will be secured – not the rest of your system’s traffic.

TunnelBear offers a free plan for those with low data usage, or a very cheap paid plan for everyone else.